For years, Brussels scolded Washington for how its national security agencies played fast and loose with Europeans’ personal data. Now, the United States is giving the European Union a taste of its own medicine.
As part of final negotiations surrounding the so-called EU-U.S. Transatlantic Data Agreement — a long-awaited pact that would allow companies to move data between both regions almost unfettered — the U.S. Department of Justice has been asking increasingly uncomfortable questions about EU member countries’ surveillance practices, according to five EU and U.S. officials and former officials, who spoke on the condition of anonymity to discuss ongoing deliberations.
That includes whether countries including Hungary, Poland and France provide sufficient legal remedies so that non-EU citizens can legally challenge how these countries’ national security agencies access such data. Also at issue is what legal oversight governments have in place to ensure their spooks don’t overstep when collecting personal information for legitimate security concerns.
Such checks are baked into the final stages of the EU-U.S. negotiations and are a legal requirement for Merrick Garland, the U.S. attorney general, before the Department of Justice finalizes its own legal redress mechanism.
That system will give European citizens access to a newly-created legal appeals process that will allow them to make a challenge if they believe American national security agencies have not upheld these individuals’ privacy rights. It is the final hurdle before Brussels deems Washington to have sufficiently adequate privacy standards on par with those of the 27-country bloc. Nevertheless, data protection campaigners are expected to challenge the pact in court.
But after years of Brussels berating Washington for its lax privacy standards, U.S. officials are enjoying their powers to in turn hold EU member countries to account — even if such probes of European surveillance practices are unlikely to significantly delay the approval of the new transatlantic data pact, which is expected to be signed off as soon as July or as late as September.
“It’s been a source of frustration for U.S. officials for a long time,” said Alex Joel, a professor at American University in Washington, D.C., and a former senior officer with the U.S. Office of the Director of National Intelligence. Joel spent years enmeshed in these transatlantic privacy fights, including over Washington’s issues about Europe’s own surveillance practices.
These questions, however, were never part of negotiations between Washington and Brussels, because national security issues remain an EU member country competence, and the European Commission, which oversaw the most recent EU-U.S. data negotiations, has no role in how governments uphold privacy rules in their surveillance practices.
The European Commission declined to comment, and the U.S. Department of Justice did not respond to a request for comment. But Peter Winn, chief privacy and civil liberties officer for the U.S. agency, told POLITICO last week that Washington would be ready to meet its obligations under the proposed EU-U.S. data pact.
“We expect to be complete well, well before any possible adequacy decision might be issued,” he said in reference to the legal structures required in the U.S. to give Europeans the right to challenge how the country’s national security agencies handle their data.
Meta’s countdown
As the U.S. Department of Justice kicks the tires of European countries’ data-hungry surveillance practices, time is also ticking for Facebook parent company Meta to figure out how it can move its users’ personal information across the Atlantic.
Ireland’s privacy regulator is expected to announce by May 12 that Meta can no longer use so-called standard contractual clauses — complex data-transfer legal mechanisms — to shift Europeans’ data to the U.S. because of ongoing data protection concerns linked to how American national security agencies access EU citizens’ personal information.
That decision that will also include a fine, though POLITICO has not yet been able to determine the size of the levy. The Irish privacy regulator declined to comment. In a financial filing late Wednesday, Meta said also it expected to have to comply with the order “no earlier than the fourth quarter of 2023,” and would appeal to put a hold on the decision.
Dublin is expected to give Meta up to five months to comply with its ruling, setting a countdown on which will happen first: either a new EU-U.S. data agreement or the company being forced to shut down transatlantic data transfers.
The EU and the U.S. are optimistic that a new pact, which would overrule the Irish regulator’s upcoming ruling that would stop the tech giant from moving personal information between both regions, should be in place in time. But company executives fret that with time ticking down, there is a narrow window to secure a deal before the total ban on transatlantic data transfers from Dublin is in place.
“We will also evaluate whether and to what extent the (Ireland regulator’s) decision could otherwise impact our data processing operations even after a new data privacy framework is in force,” the social networking giant said in a statement.
Source : POLITICO